Everything you need to know about preventing online shopping bots

Last year, a top global gaming company dropped a new product. Traffic to the site soared.

428,000 visitors tried to access the waiting room for the drop, but the company only let 28,000 in.

Why?

Because 94% of the traffic came from bots, scalpers, and uninvited visitors.

Retail bot attacks like this are becoming more and more common. During the 2024 Holiday Season, 36% of all ecommerce web traffic came from bad bots, an increase of 24% YoY. 

But what are signs of a shopping bot problem? What business risks do they actually pose, if they still result in products selling out? And what steps can you take to stop retail bots? Read on to find out.

Table of contents

• What are shopping bots?
• How do online shopping bots work?
• What are the different types of retail bots?
• What products do shopping bots target?
• How to identify an ecommerce bot problem
• How to prevent ecommerce bots
• Why is bot management necessary?
• Summary: Ecommerce bot protection

Do you have a bot problem? Get your free guide to uncover the risks of bots & discover how you can beat them

Get my guide

An online shopping bot, also known as an "ecommerce bot" or "grinch bot", is software that's programmed to help make online purchases by performing automated tasks like checking for re-stocks and completing checkouts. Bots often imitate a human user's behavior, but with their speed and volume advantages they unfairly find and buy products in ways human customers can't.

Online shopping bots perform different malicious tasks. An individual bot may do one or more of these. A "grinch bot", for example, usually refers to bots that purchase goods, also known as scalping. But there are other nefarious bots, too, such as bots that scrape pricing and inventory data, bots that create fake accounts, and bots that test out stolen login credentials.

RELATED: Protect Against Bad Bots & Prevent Abuse With a Virtual Waiting Room

Online shopping bots work by using software to execute automated tasks based on instructions bot makers provide.

What all shopping bots have in common is that they provide the person using the bot with an unfair advantage. If shoppers were athletes, using a shopping bot would be the equivalent of doping.

Typically, ecommerce bots gain these advantages using either speed, or volume.

• Speed: Bots can constantly monitor websites for new products or sales, making automatic purchases the moment the product appears. In high-demand scenarios, they can add products to cart and checkout before a regular user even has a chance to login.
  
  
• Volume: Bots can simulate thousands of users, using fake accounts, virtual computers, and fake IP addresses. On one sale we worked on, we found and blocked a single person who was trying to get 30,000+ positions in an online queue. Bots use volume to evade detection, overwhelm defenses, and buy products in bulk.

In a typical high-demand sale or product drop, scalpers are not only faster than a normal website visitor, they also outnumber them by 10 to 1. Unless the retailer has advanced bot mitigation in place, regular people don't stand much of a chance.

RELATED: Bot Mitigation: How To Detect & Stop Bad Bots

Scraping bots

Scraping shopping bots work by monitoring web pages to facilitate online purchases. These bots scrape pricing information, inventory availability, and similar information so they can act the moment there's an opportunity for profit.

Footprinting bots

Footprinting is like scraping, but involves the bot probing and scanning the website for hidden pages. For example, a footprinting bot could search for live web URLs that haven’t yet been made public.

When the manager of a U.K.-based reseller group was asked how he bought so many PlayStation 5 consoles he answered: “We knew where to go before they announced it”. That’s footprinting in action.

Footprinting is also behind examples where bad actors ordered PlayStation 5 consoles a whole day before the sale was announced. By the time the retailer closed the loophole that gave the bad actors access, people had picked up their PS5s—all before the general public even knew about the new stock.

Account creation bots

For bad actors to complete purchases, they often need to use an account. Bad actors can generate a list of free emails and then use an account creation bot to generate accounts in bulk, sometimes in the hundreds or thousands.   

Credential stuffing & cracking bots

Sometimes instead of creating new accounts from scratch, bad actors use bots to access other shopper’s accounts. Both credential stuffing and credential cracking bots attempt multiple logins with (often illegally obtained) usernames and passwords.

In a credential stuffing attack, the shopping bot will test a list of usernames and passwords, perhaps stolen and bought on the dark web, to see if they allow access to the website.

A credential cracking bot will start with one value, like an email, and then test different password combinations until the login is successful.

Scalping bots

Probably the most well-known type of ecommerce bot, scalping bots (or purchase bots) use unfair methods to get limited-availability and/or preferred goods or services.

For example, scalper bots can “sit” on the product web page, constantly refreshing to click “add to cart” the second the product becomes available. Then the scalper bot can click through the purchase journey, autofill billing and shipping information, and press “buy” in the time it takes a human visitor to enter his or her email address.

Denial of inventory bots

Ever wonder how you’ll see products listed on secondary markets like eBay before the products even go on sale? Denial of inventory bots are to blame.

Representing the sophisticated, next-generation bots, denial of inventory bots add products to online shopping carts and hold them there. They don’t buy them—at least not initially.

By holding products in the carts they deny other shoppers the chance to buy them. What often happens is that discouraged shoppers turn to resale sites and fork over double or triple the sale price to get what they couldn’t from the original seller.

Only when a shopper buys the product on the resale site will the bad actor have the bot execute the purchase.

Denial of inventory bots are especially harmful to online business’s sales because they could prevent retailers from selling all their inventory.

Cashing out bots

Bad actors don’t have bots stop at putting products in online shopping carts. They’ll use bots to validate stolen credit card information. Cashing out bots then buy the products reserved by scalping or denial of inventory bots.

Ecommerce bots target any product or vertical they believe they can make a profit off. This typically means products that are in high demand, with low supply. Some of the most common products targeted by bots include:

• Sneakers: Limited-edition sneaker launches attract bots in massive volumes. Nike reports they get 12 billion illegitimate sneaker raffle entries every month.
  
  
• Collectibles: Bots exploit the passion of collectors by snatching up limited-edition goods and selling them back to collectors at massive markups.
  
  
• Graphics cards & gaming consoles: Anyone in the gaming world knows the problems bots caused when PlayStation 5s and graphics cards were in low supply.
  
  
• Holiday Season deals: Every year, "Grinch" bots snatch up the hottest kids toys of the season, selling them back to parents at inflated prices.
  
  
• Limited-edition product drops: Brand collaborations, celebrity product launches, hyped apparel—all these low supply launches attract bots in big numbers.

RELATED: How Sideshow Collectibles Runs "launches our customers can trust"

It might sound obvious, but if you don’t have clear monitoring and reporting tools in place, you might not know if bots are a problem.

As bots get more sophisticated, they also become harder to distinguish from legitimate human customers.

So what should you look for? Here’s a few red flags.

1. Increase in login failures

A spike in login failures could signal credential stuffing and cracking bots trying to take over existing customer accounts.

2. Spike in account creations

Increased account creations, especially leading up to a big launch, could indicate account creation bots at work. They’ll create fake accounts which bot makers will later use to place orders for scalped product. 

3. Traffic from unfamiliar geographies

Seeing web traffic from locations where your customers don’t live or where you don’t ship your product? Then you may be under attack from bots. This traffic could be from overseas bot operators or from bots using proxies to mask their true IP address. 

4. Increase in shopping cart abandonment

An increased cart abandonment rate could signal denial of inventory bot attacks. These bots hold product so others can’t buy. When the cart time expires, they snatch the products up again. They’ll only execute the purchase once a shopper buys for a marked-up price on a secondary marketplace. This behavior will reflect in your cart abandonment rate.   

5. Visits to product pages that aren’t public-facing

Footprinting bots snoop around website infrastructure to find pages not available to the public. If a hidden page is receiving traffic, it’s not going to be from genuine visitors.

6. Increase in traffic from data center IP addresses

Genuine users rarely originate from data center IP addresses. Instead, bot makers typically host their scalper bots in data centers to obtain hundreds of IP addresses at relatively low cost. In fact, research shows 70% of bad bots come from data centers. A spike in data center traffic likely signals a bad bot problem.

RELATED: Improve Bot Protection with Data Center IP blocking

7. Abnormal pageviews or bounce rates

If you observe a sudden, unexpected spike in pageviews, it’s likely your site is experiencing bot traffic. If bots are targeting one high-demand product on your site, or scraping for inventory or prices, they’ll likely visit the site, collect the information, and leave the site again. This behavior should be reflected as an abnormally high bounce rate on the page.

As you’ve seen, bots come in all shapes and sizes, and reselling is a very lucrative business. For every bot mitigation solution implemented, there are bot developers across the world working on ways to circumvent it.

It’s a cat-and-mouse game. Which means there’s no silver bullet tool that’ll keep every bot off your site. Even if there was, bot developers would work tirelessly to find a workaround. That’s why just 15% of companies report their anti-bot solution retained efficacy a year after its initial deployment. The target is constantly moving for retailers.

The key to preventing bad bots is that the more layers of protection used, the less bots can slip through the cracks.

If you have four layers of bot protection that remove 50% of bots at each stage, 10,000 bots become 5,000, then 2,500, then 1,250, then 625. In this scenario, the multi-layered approach removes 93.75% of bots, even with solutions that only manage to block 50% of bots each. 

1. Monitor & identify bot traffic

As the saying goes, if you can’t measure it, you can’t improve it. If you don’t have tools in place to monitor and identify bot traffic, you’ll never be able to stop it.

Sometimes even basic information like browser version can be enough to identify suspicious traffic.

Once scripts are made, they aren’t always updated with the latest browser version. Human users, on the other hand, are constantly prompted by their computers and phones to update to the latest version. It’s highly unlikely a real shopper is using a 3-year-old browser version, for instance.

It's recommended to show CAPTCHAs to browsers not updated in 2 years, and to flat out block browsers that haven't been updated in three years.

Updated as of May 2025. Release version history is available for Chrome, Firefox, Safari, and Edge.

Professional bot mitigation software gives you advanced insight into bot traffic and allows you to configure custom rules to protect against it. These detection tactics include:

• Anomaly detection: Detecting and flagging abnormal access patterns, such as low latency, high rate of attempts, or abnormal user journeys.
  
  
• Reputation scores: Automatic scoring of IP addresses based on user behavior, past network activity, and other signals.
  
  
• Blocking known bots & data centers: Maintaining a list of known bots and data centers that are associated with malicious activity.
  
  
• Device fingerprinting: Looking at combinations of hardware, software, browser settings, and more to create a “fingerprint” for each device.
  
  
• Behavioral analysis: Observing how visitors interact with via signals like mouse movements, click patterns, and typing behavior.
  
  
• Repeated requests from single IP: Identifying aggressive IP addresses by tracking rate or volume of requests.
  
  
• Visitor identification: Tying visitors to an “identity signal”, such as a login, promo code, email, or other unique identifier to enforce one session or transaction per visitor.
  
  
• Irregular or outdated user agents: Identifying bots via outdated user agents that are no longer used by regular human visitors.
  
  

2. Take action against suspicious traffic

It’s one thing to identify suspicious traffic. It’s another to respond.

Your bot mitigation solutions should let you not only block malicious traffic, but also test suspicious traffic. Common tests include CAPTCHA challenges and Queue-it's Proof-of-Work challenge.

While sophisticated bots today can solve most CAPTCHAs, the challenge mechanism is still useful for quickly and easily blocking simple bots, such as scrapers. Many of our customers still use CAPTCHAs, and we still see sales in 2025 where millions of visitors fail the CAPTCHA challenge.

Queue-it's Proof-of-Work challenge targets bots attacking using volume by using computing power as the limiting factor for bots. It makes every visitors' device complete a computational challenge that's invisible to regular users, but overloads the devices of bot operators who are trying to get hundreds or thousands of spots simultaneously.

For users flagged as bots, you need to tag and mitigate them. Options range from blocking the bots completely, rate-limiting them, or redirecting them to decoy sites. Logging information about these blocked bots can also help prevent future attacks.

3. Control & block bots with a virtual waiting room

A security checkpoint in an airport screens passengers before they can board their flight.

Similarly, a virtual waiting room acts as a checkpoint inserted between a web page on your website and the purchase path.

This security checkpoint slows down and controls traffic, allowing you to run a series of  bot checks on visitors before they hit your site or perform a protected action. It also enables you to prevent load-induced issues like crashes, slowdowns, and overselling by giving you control over the rate at which visitors hit your site or key bottlenecks.

Ticketmaster, for instance, reports blocking over 13 billion bots with the help of Queue-it's virtual waiting room.

Related: Protect Against Bad Bots & Prevent Abuse With a Virtual Waiting Room

By managing your traffic, you'll get full visibility with server-side analytics that helps you detect and act on suspicious traffic. For example, the virtual waiting room can flag aggressive IP addresses trying to take multiple spots in line, or traffic coming from data centers known to be bot havens. These insights can help you close the door on bad bots before they ever reach your website.

A screenshot of the Alerts page from Queue-it's Traffic Insights analytics tool

4. Leave time for after-sale audits

Some shopping bots will get through even the best bot mitigation strategy. But just because the bot made a purchase doesn’t mean the battle is lost.

If you’re selling limited-inventory products, dedicate resources to review the order confirmations before shipping the products.

This is a strategy used by retailers including Walmart and Very. It can go a long way in bolstering consumer confidence that you’re truly trying to keep releases fair.

Review the orders and ask:

• Are there multiple orders shipping to the same address?
• Were several orders made using the same IP address?
• Was the same credit card used by different customers?
• Is there social media chatter from customers bragging about how they used bots to buy your product?

Taking a critical eye to the full details of each order increases your chances of identifying illegitimate purchases. 

But the most advanced bot operators work to cover their tracks. They use proxies to obscure IP addresses and tweak shipping addresses—an industry practice known as “address jigging”—to fly under the radar of these checks.

In the TechFirst podcast clip below, Queue-it Co-founder Niels Henrik Sodemann explains to John Koetsier how retailers prevent bots, and how bot developers take advantage of P.O. boxes and rolling credit card numbers to circumvent after-sale audits. 

5. Bots create faulty analytics for decision-making

Bots can skew your data on several fronts, clouding up the reporting you need to make informed business decisions.

The fake accounts that bots generate en masse can give a false impression of your true customer base. Since some services like customer management or email marketing systems charge based on account volumes, this could also create additional costs.

Denial of inventory bots can wreak havoc on your cart abandonment metrics, as they dump product not bought on the secondary market.

Marketing spend and digital operations are just two of the many areas harmed by shopping bots.

6. Bots crash & slow down websites

By their nature, shopping bots use volume to their advantage. So it’s not difficult to see how they overwhelm web application infrastructure, leading to site crashes and slowdowns.

45% of online businesses said bot attacks resulted in more website and IT crashes.

To get a sense of scale, consider data from Akamai that found one botnet sent more than 473 million requests to visit a website during a single sneaker release.

Or think about a stat from GameStop’s former director of international ecommerce. “At times, more than 60% of our traffic - across hundreds of millions of visitors a day - was bots or scrapers,” he told the BBC. With recent hyped releases of the PlayStation 5, there’s reason to believe this was even higher.

When Walmart.com released the PlayStation 5 on Black Friday, the company says it blocked more than 20 million bot attempts in the sale’s first 30 minutes. Every time the retailer updated the stock, so many bots hit that the website of America’s largest retailer crashed several times throughout the day. 

Bots will even take a website offline on purpose, just to create chaos so they can slip through undetected when the website comes back online.

Whether an intentional DDoS attack or a byproduct of massive bot traffic, website crashes and slowdowns are terrible for any retailer. They lose you sales, shake the trust of your customers, and expose your systems to security breaches.

Related: Prevent Website Crashes From Bot Traffic With a Virtual Waiting Room

Shopping bots are becoming more sophisticated, easier to access, and are costing retailers more money with each passing year.

The brands that’ve struggled with bots for years, such as Nike, Sony, Amazon, and Walmart, know the threat of bots and are working hard to protect against them. But it’s no longer just big electronic and sneaker retailers that are facing bots. Bot traffic is growing across ecommerce and is impacting small and large websites alike.

To summarize the key points you need to know about online shopping bots:

• Shopping bots are software designed to give users an unfair advantage while shopping online.
  
  
• They scan websites and execute lightning-fast purchases in massive volumes to clear out stock for resale on secondary markets.
  
  
• Retail bots come in all shapes and sizes, from scraping bots to account creation bots to denial of inventory bots.
  
  
• Ecommerce bots target sales and product drops where they know they can resell products for profit, such as sneaker, graphics card, and gaming console releases.
  
  
• You can identify a bot problem by digging through your analytics and identifying abnormal behavior, or by using bot mitigation software. 
  
  
• Bots tarnish brand image, sever connections with valuable customers, crash websites, jeopardize business contracts, increase support costs, and muddle analytics crucial to decision making.
  
  
• You need a suite of bot mitigation tactics to stay on top of your bot problem, from CAPTCHAs to web traffic management to post-sale audits.

While there's no one-and-done solution to prevent every bot every time, there are many tools available to protect your ecommerce site from bots and the problems they bring with them. It's important you evaluate your bot problem and take action, because as brands from Nike to Amazon to Sony to Foot Locker recognize, the fight against bots is a fight for your customers.

(This blog has been updated since it was written in 2021.)